<html><head></head><body><div dir="ltr"><div dir="ltr"><div style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;"><table cellpadding="0" cellspacing="0" border="0" style="width:100%;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:20px 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="center" style="vertical-align:middle;"><img src="https://netfire.net/logo_sig_gen2.png" height="50" border="0" alt="" style="height:50px;min-height:50px;max-height:50px;font-size:0;" /></td><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 0 16px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 2px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Matt Harris<span style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;">​</span></td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;color:#5E2A8F;font-family:Calibri,Arial,sans-serif;">Infrastructure Lead Engineer</td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:2px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">816‑256‑5446</td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Direct</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:700;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0;vertical-align:top;font-family:Calibri,Arial,sans-serif;">Looking for something?</td></tr><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:4px 0 24px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#6E6E6E;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="text-decoration:underline;"><a href="https://help.netfire.net/" target="_blank" id="LPlnk689713" title="Submit a ticket to our helpdesk!" style="text-decoration:underline;color:#6E6E6E;"><strong style="font-weight:400;">Helpdesk Portal</strong></a></span></td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="text-decoration:underline;"><a href="mailto:help@netfire.net" target="_blank" id="LPlnk689713" title="Send us an email!" style="text-decoration:underline;color:#6E6E6E;"><strong style="font-weight:400;">Email Support</strong></a></span></td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="text-decoration:underline;"><a href="https://my.netfire.net/" target="_blank" id="LPlnk689713" style="text-decoration:underline;color:#6E6E6E;"><strong style="font-weight:400;">Billing Portal</strong></a></span></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 16px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><img src="https://netfire.net/Flag-United-States-of-America.jpg" height="24" border="0" alt="" style="height:24px;min-height:24px;max-height:24px;font-size:0;" /></td><td align="center" style="padding:0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="center" style="padding:0 0 0 16px;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="white-space:nowrap;color:#000001;font-size:14.67px;font-family:Calibri,Arial,sans-serif;font-weight:400;font-style:normal;text-align:left;"><tr style="font-size:14.67px;"><td style="font-family:Calibri,Arial,sans-serif;">We build and deliver end‑to‑end IT solutions.</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></div>On Fri, Oct 9, 2020 at 2:27 PM Christopher J. Wolff <<a href="mailto:cjwolff@nola.gov">cjwolff@nola.gov</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





<div lang="EN-US">
<div class="gmail-m_6885205557906700075WordSection1">
<p class="MsoNormal">Dear Nanog;<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Hope everyone is getting ready for a good weekend.  I’m working on a greenfield service provider network and I’m running into a security challenge.  I hope the great minds here can help.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Since the majority of traffic is SSL/TLS, encrypted malicious content can pass through even an “NGFW” device without detection and classification.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Without setting up SSL encrypt/decrypt through a MITM setup and handing certificates out to every client, is there any other software/hardware that can perform DPI and/or ssl analysis so I can prevent encrypted malicious content from being
 downloaded to my users?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Have experience with Palo and Firepower but even these need the MITM approach.  I appreciate any advice anyone can provide.</p></div></div></blockquote><div><br></div><div>Do you really want to do this? Ask yourself not whether you want to protect your users from malicious content, but rather ask yourself do you want to expose all of their financial, medical, and other personal details to anyone who may have access (including potentially unauthorized access) to this system? As a service provider with a customer/user base that you do not directly control, the answer should almost certainly always be "no." </div><div><br></div><div>It's one thing to implement this sort of snooping in an office/corporate environment: there you have direct control over systems to install MITM CA certificates, and the ability to set policies like "don't view personal websites or enter personal financial, medical, or other private details on a work computer outside of communicating with HR" or somesuch. </div><div><br></div><div>Instead, I'd recommend distributing good anti-malware software that provides endpoint protection for their devices and teaching security best practices to your users. You can also block access to known-bad hosts and addresses either at your border via packet filtering, or via the recursive DNS servers that you feed to clients. This may have the unintended consequence of false positives resulting in additional support inquiries, but overall is much better than trying to MITM secure connections from your customer/user base. </div><div><br></div><div>Good luck! </div><div><br></div></div></div>
</body></html>